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Abstract. The goal of this paper is to analyze the discrete Lambert map x —>■ 
xg^ (mod p®) which is important for security and verification of the ElGamal 
digital signature scheme. We use p-adic methods (p-adic interpolation and 
Hensel’s Lemma) to count the number of solutions x of xg^ = c (mod p®) 
where p is an odd prime and c and g are fixed integers. At the same time, we 
discover special patterns in the solutions. 


1. Introduction 

A discrete logarithm is an integer x solving the equation = c (mod p) for some 
integers c, g, and for a prime p. Finding discrete logarithms for large primes and 
fixed values for c and g, referred to in this paper as the discrete logarithm problem 
(DLP), is thought to be difficult. The exponential function is used in different 
forms of public-key cryptography where the security depends on the difficulty of 
finding solutions to the DLP. One particular class of cryptosystems where the DLP 
is important are digital signature schemes, which enable a message’s recipient to 
verify the identity of the sender. 

A specific digital signature scheme important for our paper is the ElGamal digital 
signature scheme, which is a public key system. For this system the values made 
public are p, g, m, and h = g'^ (mod p), while the values known only to the sender 
are y and x.The signature (si,S 2 ) is computed as follows: si = g^ (mod p) and 
S 2 = y~^(m — xsi) (mod p — 1), where m is the message, p is a large prime, p is a 
generator for p, x G {1,... ,p — 2}, and p G {1,... ,p — 2} such that gcd(p,p— 1) = 
1. The recipient of message m also receives the signature (si,S 2 ) and verifies the 
message by computing vi = (mod p) and V 2 = p™ (modp). If vi = V 2 

(mod p) then the signature is considered authentic. 

In order to forge a signature, there are several methods with which to attack the 
system. One could solve the DLP by computing x from h = g^ (mod p) for a fixed 
p, h and prime p. Another method is to fix si and solve for S 2 , requiring finding 
solutions to the congruence (mod p), which is equivalent to solving 

another DLP since the right hand side of this congruence is a constant. Both of these 
attacks are considered to be sufficiently hard and thus not feasible as a method of 
forgery. A third method is to fix S 2 and solve for si, requiring finding solutions to the 
congruence = p™ (mod p). Rewriting this congruence, we see that solving it 

for Si is equivalent to solving the congruence si(/i®^ = g^^^ (mod p) for si. 

Finally, setting a = and b = g^^^ ^ we see that solving these congruences is 
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equivalent to solving the congruence sia®^ = b (mod p) for si with a fixed a and b. 
Due to its similarity to the Lambert W function [2] and to distinguish it from the 
DLP, we will refer to the map si sia‘^^ (mod p) as the discrete Lambert map. 
Thus we define the discrete Lambert problem (DWP) to be the problem of finding 
integers x such that xg''^ = c (mod p) for fixed integers g and c. 

While the DLP has been studied extensively, the DWP has received very little 
attention although some introductory work has been done by Chen and Lotts on 
the DWP modulo p [T]. The lack of attention received by the DWP is in part 
because it is considered to be more difficult to solve than the DLP, but due to the 
implications that it has on the security of the ElGamal scheme we believe that it 
is important to study. 

Finding exact formulas for the solutions seems extremely difficult, but counting 
the number of solutions for a fixed g and c and in an extended range of values for 
X is much easier. In addition, we can find patterns in the solutions that will give 
us insight into the DWP. Beyond finding solutions and patterns modulo an odd 
prime p, we also wanted to look at solutions modulo p® in a similar fashion to what 
Holden and Robinson [3] do for the DLP. 

2. Counting Solutions 

We begin by looking at the DWP modulo p, counting the solutions and finding 
patterns. The following theorems describe the number of solutions: 

Theorem 1. If p is an odd prime, g a generator modulo p, and c ^ 0 (mod p), 
then for fixed g and c, if we consider the function 

f{x) = xg^ — c = 0 (mod p) (1) 

where x S {1,... ,p(p — 1) | a; ^ 0 mod p}, then the number of x such that f(x) = 0 
(mod p) isp—\ and the solution set forms a complete residue system modulo p—1. 
In other words, the solutions are distinct modulo p — 1. 

Proof. Since p is a generator, we can take the logorithm of equation (1) to get 

logg a: + a: = logg c (mod p—1). (2) 

In order to show the solution set of equation (1) forms a complete residue system 
modulo p—1, we need to show there exist p—1 distinct solutions to equation (1), 
one for each xq such that 

x = xq (mod p—1), for each a;o &7jl{p— 1)Z. (3) 

If we subtract equation (3) from equation (2), we get 

logg a: = logg c - a;o (modp-1). (4) 

Then when we raise equation (4) to to power of g, we get 

Finally we can apply Chinese Remainder Theorem to equations (3) and (5), for 
each Xg, and conclude that there exist p—1 distinct solutions and they form a 
complete residue system modulo p—1. 

□ 


We can also look at what happens when g is not a generator: 
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Theorem 2. Let p be an odd prime and m = ordp( 5 ). For fixed g and c such that 
p \ g and p \ c, if we consider the function 

f{x) =xg^ -c 

where x € {1,... ,pm | a:: ^ 0 mod p}, then the number of x such that f{x) = 0 
(mod p) is equal to m, and they are all distinct modulo m. 

Proof. Let 

X = xq (mod m). (6) 

Then we have the following equivalent statements: 

f{x) = xg^ — c = 0 (mod p) 
xg^° — c = 0 (mod p) 
xg^° = c (mod p) 

X = cg~^° (modp). (7) 

So for each xq G m} there is an x G p}, and so by the Chinese 

Remainder Theorem on equations ([6]) and ([7]) there is exactly one x G {1,... ,pm} 
such that X is a zero of /(x) where x = xq (mod m). Hence, the number of zeros 
/(x) = 0 (mod p) is equal to m, and they are all distinct modulo m. □ 

3. Interpolation 

In order to count solutions of the DWP modulo p®, we need to interpolate the 
function /(x) = xg^ — c, defined on x G Z to a function on x G Zp, for p an odd 
prime and fixed g,c G Zp. However, interpolation is only possible when g G 1 +pZp 
[5]. In order to apply the following theorem from Katok we need to show 
/(x) = xg^ — c is uniformly continuous if g G 1 + pZp. Then we can interpolate 
/ : Z —>■ Zp to a new uniformly continuous function f^p : Zp ^ Zp. 

Theorem 3 (Thm. 4.15 of [5]). Let E be a subset ofZp and let E be its closure. Let 
f : E ^ Qp be a function uniformly continuous on E. Then there exists a unique 
function F : E ^ Qp uniformly continuous and hounded on E such that 

F{x) = f{x) ifxGE. 

Proposition 4. Lf p is an odd prime, c G Zp is fixed, and g G 1 + pZp, then 
/(x) = xg^ — c is uniformly continuous for x G Z. 

Proof. Suppose g = 1+ pA where A G Zp. We know that given any e > 0, there 
exists an iV such that p~^ < e. Let x,y G Z such that 

or (x — y) G p^Zp, and x = y + hp^ where b G Z, then we need to show that 

|xg"= -c - (yy^ -c)|p < e. 


gbp" = {l+pA)^P" 

= 1 + bp^pA + • ■ • + {pA)^p'' 
G 1 + p^Zp, 


Note that 
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SO we know that — 1 G or — l|p < P ^ ■ Further, since y G Z, 

\y\p < 1- Also note that {bp^g'^P^ \p < p~^. Now, consider 

|a:5“ - yg'^lp = \{y + bp^)gy~^^p'' - yg^lp 

= \ygybp^ + bp^gy+^P" - ygy\p 

= Ig’^lplyg’’^'' + bp^g^p"" - y\p, and since g G 1+pZp, \gy\p = 1 
= + bp^g^P^ - y\p 

= \ig^P^ -l)y + bp^g^P^\p 

< max - l|p|y|p, 

<p-^. 

Hence, if p is an odd prime, c G Zp is fixed, and g G 1 + pZp, we have shown that 
/(x) = xg^ — c is uniformly continuous for x G Z. □ 

Now we can apply Theorem [3] of [5] to interpolate / : Z —>■ Zp to a function 
fxo ■ Zp —>• Zp. If we let uj{g) be a (p — 1)*^ of 1 in Zp which is also called the 
Teichmiiller character of g and (g) G 1+pZp, then we can rewrite g = u}{g) {g) where 
(g) = G 1 +pZp. So we can consider a new function /xo(x) = ^( 5 )^“ (p)^ — c, 
and we have the following proposition. 

Proposition 5. For an odd prime p, let g G Zp such thatp \ g and xq G Z/(p—1)Z, 
and let 

Ixq = {x G Z I X = xo (mod p — 1)} C Z. 

Then 

fxoix) =xw{gY° {gf -c 

defines a uniformly continuous function on Zp such that fxg (x) = / (x) whenever 
X G Ixq ■ 


4. Hensel’s Lemma 

Lemma 6 (Hensel’s Lemma, Cor.3.3 of [3]). Let /(x) be a convergent power series 
in Zp[[x]] and let a G Zp such that ^(a) ^0 (mod p) and f{a) = 0 (mod p). Then 
there exists a unique x G Zp for which x = a (mod p) and f(x) = 0 in Zp. 

Lemma 7. If we consider the function 

fxoix) = xuj{gY° exp(xlog(( 5 ))) - c 

for any a G Zp such that f{a) = 0 (mod p), then ^(a) ^0 (mod p). 

Proof. Consider 

/(x) = xg^ — c (mod p). 

If we take xq G Z/toZ where m = ordp(p), we have 

fxoix) = xa;(p)"^“exp(xlog((p))) - c. 

Note that (g) G 1 +pZp. Furthermore, since log((p)) G pZp then by the definition 
of the p-adic exponential function we know that exp(x log((p))) G 1 +pZp. Taking 
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the derivative of fxo{x) (see proposition 4.4.4 of i), we have 

^(x) = w( 5 )"=“exp(xlog((g))) +xw( 5 )"^“exp(xlog((g)))log((g)) 
ax 

= oj{9T° exp(x log({ 5 ))) (mod p) 

= oj{gY° (mod p) 

^ 0 (mod p). 

□ 

Proposition 8. For p an odd prime, let g S he fixed and let m = ordp( 5 '). 
Then for every xq S Z/toZ, there is exactly one solution to the function 

fxo{x) = uj{gf° {gf - c = Q (mod p) 

for X € Zp . 

Proof. We know that (g) = 1 (mod p), so the equation simplifies to 

xoj{gY° = c (mod p). 

For fixed g and xq, this has exactly one solution. 

We know that (g) is in 1 +pZp, so we can say 

{gf = exp(x log(( 5 ))) = 1 + x log(( 5 f)) + x^ log({ 5 ))^2! 

+ higher order terms in powers of log((p)). 

By the definition of the p-adic logarithm we know log((p)) G pZp. Since 

lim |log({p))Vd|p = 0, 

I—¥00 

we have a convergent power series. We showed in Lemma[3that fxo{x) satisfies the 
rest of the conditions of Hensel’s Lemma, so we can apply the lemma to say there 
is a unique solution for x G Zp such that fxoix) = 0 (mod p). □ 

Now we can take Theorems [T] and [5] and generalize them to consider solutions 
modulo p®. 

Theorem 9 (Generalization of Theorem [2). Let p be an odd prime and m = 
ordp(p). For fixed g and c such that p \ g and p\ c, if we consider the function 

/(x) =xg^ -c 

where x G {1,... ,p®m | x ^ 0 mod p}, then the number of x such that f(x) = 0 
(mod p®) is equal to m, and they are all distinct modulo m. 

Proof. We can use Hensel’s Lemma to count the number of solutions modulo p® 
given the number of solutions modulo p. In other words, the number of solutions 
to 

fxoix) =xw( 5 )"^“exp(xlog((p)))-c = 0 (mod p®) 
is the same as the number of solutions to 

fxo{x) = xu}{g)^° exp(xlog((p))) - c = 0 (mod p) 

because of the bijection from the solution set of fx^ (x) = 0 modulo p to the solution 
set modulo p®. We showed in Proposition|8]that there is exactly one Xi G {1,... ,p} 
such that 


xiujigf° {gf^ = c (mod p). 
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SO using Hensel’s Lemma there is exactly one xi G {1,... such that 

XiUj{gY° {gf^ = c (mod 

By the Chinese Remainder Theorem, there will be exactly one x G {1, • ■ ■ 
such that 

X = xq (mod to) 


and 


X = Xi (mod p®). 

From the interpolation above we had x = xq (mod to), and we know that for this 
a; G {1,... ,p®m}: 


fxoix)=X(x{gf°{gY-c = 0 (mod p®). 

Since there is exactly one such x for each xq G {1,..., to}, there are to solutions to 
/(x) = 0 (mod p®). □ 


Corollary 10 (Generalization of Theorem [T]). If p is an odd prime, g a generator 
modulo p, and c ^ 0 (mod p), then for fixed g and c, if we consider the function 

f{x) =xg^ -c (8) 

where x G {1,... ,p®(p — 1) | x ^ 0 mod p}, then the number of x such that f{x) = 
0 (mod p®) is p — 1 and the solution set forms a complete residue system modulo 

p-1. 


Proof. Since p is a generator modulo p, m = ordp(p) = p — 1. Then we can apply 
Theorem [9] and there are p — 1 solutions to xp“ = c (mod p®) and they form a 
complete residue system modulo p — 1 because they are distinct modulo p — 1. □ 


5. Patterns in the Solutions 

After counting the number of solutions to the DWP, we looked at patterns relat¬ 
ing to g and c in the solutions modulo p and modulo p®. One such pattern relates 
the solutions to the c values associated with them: 


Theorem 11. Letp be an odd prime and to = ordp(p). For fixed g and c such that 
p \ g and p \ c, if we consider the function 

f{x) =xg'^ -c 

where x G {1,. .. ,p®to | x ^ 0 mod p}, then for any other c' G {l, ■ • ■ ,p®“^(p — 1)}, 
let Xi^c' o-nd Xj^c for 1 < z, j < to index the to solutions to 

= c (mod p®) 


and 


= c (mod p®), respectively. 

If c' = Xj^c (mod p), then for each xi^c' there exists a unique k, 1 < k < m, and 
Xk,c such that Xk,c = (mod p). 


Proof. We know from Theorem [5] that there are to solutions to /(x) = 0 (mod p®). 
We will show that for fixed i,j that if c' = Xj^c (mod p), then for all xi^c' there 
exists a unique Xk,c such that Xiy = Xk,c (mod p). To begin, we have the equations 

= c (mod p®) (9) 
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and 


(mod p^), or equivalently 

Xj^c = cg~^^'‘ (mod p®). (10) 

Since Xk,c ranges through the solutions to 

Xk,cg'^^’'= = c (mod p®) (11) 

where k € {1,... ,m} and by Theorem [9] the solutions Xk,c are all distinct modulo 
TO, we can choose Xk,c specifically by the Chinese Remainder Theorem so that 

Xi,c' = Xk,c - Xj^c (mod to). (12) 

This use of the Chinese Remainder Theorem will give a unique Xk,c for each Xi^c> 
because Xi^c’ and Xj^c are both fixed. Now, we originally said that c' = Xj^c (mod p), 
so we have the following equivalent statements from equations m and cni): 

x^,c'9"'^'‘' = cg~^^-’= (mod p). 

We can substitute c with equation CB): 

Xi,c'g°"'’°' = (mod p) 

= Xk,cg'""’‘~''^’‘ (mod p). 

Finally, using equation m we simplify to: 

Xi,c'=Xk,c (modp). 

Thus, for all i G {1,..., to}, there is some unique k such that Xi^c' = Xk,c (mod p) 
when c' = Xj^c (mod p). □ 

Another pattern we found involves the sum of the solutions modulo p and modulo 
to: 


Theorem 12. Letp be an odd prime and m = ordp(p). For fixed g and c sueh that 
p } p and p \ c, if we eonsider the function 

f{x) =xg^ -c 

where x € {1,... ,p®TO | x ^ 0 modp}, then for eaeh c there are m solutions, 
xi,..., Xm, to f(x) = 0 (mod p®) sueh that 


m 

Xi = 0 (mod p), 

i=l 

and for odd m 

m 

Xi = 0 (mod to). 

i=l 


Proof. We know from Theorem IH] that there are to solutions to /(x) = 0 (mod p®). 
First, we will show that for each c the solutions sum as follows: 


m 

Xi = 0 (mod p). 
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Since we said in Theorem [9] that for each i € {1, ■ ■ • ^m}, Xi = xq (mod m) where 
xq € {1, ■ • ■ ,m}, we can let Xi = i (mod m). Then we know Xi = cg~^ (mod p). 
Taking the sum of these Xi gives us: 


^ z, = ^ eg * (mod p) 

i—1 i—1 

m—1 

= cg“* (mod p) 

(mod p) 

= c I ^- I (mod p) 


i=0 


1-5 
1 - 1 


.1-5. 

= 0 (mod p). 


Thus, YllLi Xi = Q (mod p) for each c. 

Now, we will show that Xi = Q (mod m) when m is odd. Again, we have 

that Xi = i (mod m). For each i G {1,..., m}, we have 


Xi = i (mod to) 


i=l 


i=l 


m{m + 1) 


(mod to) 


= 0 (mod to). 


Thus, Xi = 0 (mod to). 


□ 


We conjecture that the same pattern of sums holds for solutions modulo p^ and 
modulo ordp<!(g), based on the evidence for all odd primes p < 17 and 1 < e < 4. 


Conjecture 13. Let p be an odd prime, mp = ordp(g) and mpe = ordpe(g). For 
fixed g and c such that p \ g and p\ c, if we consider the function 


f{x) =xg'^ -c 

where x G {1,. •. ,p'^rnp | a; ^ 0 mod p}, then for each c there are mp solutions, 
xi,... ,Xmp, to f(x) = 0 (mod p®) such that 

rup 

a;i = 0 (mod p®) 

i=l 


and for odd to 


rrip 

a;i = 0 (mod TOpe). 

i=l 


We also looked some patterns for fixed x and variable c. 


Theorem 14. Let p he an odd prime. For a fixed x G {1,. ■. ,p®} and for p \ g and 
c G {l,... ,p®“^(p — 1)}, if we consider xg^ = c (mod p®) and let x{g~^Y = ^ 
(mod p®), then c - d = x^ (mod p®). Furthermore, if we let x{—gY = c" (mod p®) 
then c" = (—l)'^c (mod p®). 
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Proof. First, we will show that c ■ P = (mod p®). Since c = xg^ (mod p®) and 
c' = x{g~^)^ (mod p®), we can say that 

c-P = {xg-)ix{g-^r) (modp®) 

= x^{g-)ig-^) (modp®) 

= (modp®). 

Hence, c ■ P = x^ (mod p®). Now, we need to show that c" = (—l)'^c (mod p®). 
We have 


c" = x{-gY (mod p®) 

= a:(-l)^ci^ (mod p®) 
= (-l)^a;g^ (mod p®) 
= (—l)®c (modp®). 


Thus c" = (—l)'^c (mod p®). 


□ 


Proposition 15. Let p be an odd prime and g he a generator modulo p®. If c = 

e , e — 1 e e — 1 

^ —, t/ien a: = — is one of the solutions to 

xg^ = c (modp®). 

Proof. By hypothesis, we see that 

^ p®-p®-i p®+p®-i 

xg — c= - - - g 2 --- 

= ' {P^ - 1 ) - (modp®) 


p2® _ p2e 1 _ pE _|_ 1 _ 1 


(mod p®) 


pie _ pie-i _ 2pe 


pe(p® _pe-l _ 2) 

“ 2 
^ p®(p®~^(p- 1 ) - 2 )) 
2 

= 0 (mod p®). 


(mod p®) 
(mod p®) 


(mod p®) 


Note that if g is an generator modulo p®, ordpe (p) = p®—p® ^,thusp'’ 2 =^£ — 1 

(mod p®) because (p® — 1 )^ = 1 (mod p®). □ 


Proposition 16. Let n > 2 and n G Z+. //gcd(p, n) = 1 and p is an odd prime, 
then 

ord,e(p-l)" = | f", "- 7 / 

^ I 2p® ^ n IS odd. 


Proof. We will prove this by inducting on e. 
For our base case, let e = 1: 
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When n is even: 


/ 1 1 , i^P(.np - 1 ) 2 

(p- 1 ) =l-np-\ - - - p 

= 1 — mp 

= 1 (mod p), 


where m S Z. 
When n is odd: 


(p-ir = i + 2„p + M?|Llil/ 

= 1 + ap 

= 1 (mod p), and 

= -1 + bp 
= p — 1 (mod p) 

^ 1 (mod p), 


where a,b G Z. 

So our base case holds: 


OYdpip - 1 )" = 


1 n is even 

2 n is odd. 


For our inductive hypothesis, we assume the following: 

r ^e-l ^ 


ordpe(p-1)" = <^ 1 


n IS even 
n is odd. 


Now, in our inductive step we need to show: 

ordpe+i(p- 1 )” = I 2 ^ 

When n is even: 


p n IS even 

n is odd. 


= np‘p + + ... + 

= 1 - kp^+^ 

= 1 (mod p"+i), 

where k G Z. 

When n is even, let x be the least integer such that the following equivalent equa¬ 
tions hold: 


—xnp + 


(p- 1 )"” 

= 1 

(mod 

a;n(xn-l )^2 1 , 

= 1 

(mod 

xn{xn - 1 ) 2 , , xn 

—— -p^ H-h p®” 

= 0 

(mod 

px{—n -\- dp) 

= 0 

(mod 
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where d G Z. Since gcd{p,n) = 1, then p f —n + dp. Therefore p® | x, hence the 
least X = p^ = ordpe+i(p — 1)". The proof for showing ordpe+i(p — 1)" = 2p® when 
n is odd is a parallel to the case when n is even. 

Therefore p® and 2p® are the least integers such that 

f (p — 1 )"^’ = 1 (mod p®“''^) n is even 
[Ip- = 1 (mod p®+i) n is odd. 

□ 

6. Conclusions and Future Work 

Following Holden and Robinson [3] , we counted solutions to the discrete Lambert 
problem modulo powers of a prime p and we found very similar results regarding 
the number of solutions for x in { 1 ,... ,p®(p — 1 )} and { 1 , ...,p®m} where m is the 
multiplicative order of g modulo p. For a given g the value m is very important 
in understanding the number of solutions to the DWP. In addition, we found how 
solutions modulo p relate to c, as well as some special properties between the sum 
of the solutions and p®. We also found that when p is a generator modulo p® there 
is a special (a;, c) that satisfies the DWP. 

According to Chen and Lotts, when g = (p — 1), the solutions to the DWP 
modulo p are very predictable (see Section 3.4 m)- Therefore it is not an good 
choice to use in a cryptosystem. However, they did not consider the solutions to 
the DWP modulo p®. Due to the change in the multiplicative order of p — 1 modulo 
p®, the patterns in the solutions to the DWP become erratic and cannot be foreseen 
as far as we can tell. 

We should mention that since this work was completed Dara Zirlin [7] has ex¬ 
tended our research to the case where p = 2 and has also counted the number of 
fixed points and two-cycles of the discrete Lambert map for all primes p. In par¬ 
ticular, she has counted the number of solutions x to xg^ = x (mod p®) and the 
number of solutions {h, a) to the system of congruences: 

hg^ = a (mod p®) and ag°‘ = h (mod p®) 

where x, a and h range through the appropriate sets of integers, g is fixed and p is 
any prime. 
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